iptables开始丢弃数据包; 通过重新启动暂时固定; 只有从家里

我正在运行一个小的apache2 / iRedMail服务器，但我有一个iptables的问题。经过一段时间的正确工作（小时）我的服务器无法访问编辑：从我家的互联网连接在一些端口（端口80,443testing，编辑：apache？），直到我重新启动iptables服务（ sudo service iptables restart ）。这样做会使所有的工作再次！我不知道是什么原因导致了这个问题，尤其是因为它在重启iptables服务后几个小时才出现。

我可以查看哪些日志文件？ kern.log文件显示没有任何明显的（我读它包含有关iptables的信息）。

所有iptables规则都是在iRedMail中使用的标准文件（即/etc/default/iptables 。

提前致谢！

编辑1：输出iptables -L -n -v

 user@server:~$ sudo iptables -L -n -v Chain INPUT (policy DROP 102 packets, 19966 bytes) pkts bytes target prot opt in out source destination 9500 2164K fail2ban-dovecot tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,25,587,110,9 95,143,993,4190 18543 6112K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 229 13256 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 33 1628 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888 109 6520 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 14 808 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 18 1104 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:17655 1 60 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 16026 packets, 9143K bytes) pkts bytes target prot opt in out source destination Chain fail2ban-dovecot (1 references) pkts bytes target prot opt in out source destination 9500 2164K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

edit2：看来我的iptables文件在十二月十五号被修改了：现在是这样：

 # Generated by iptables-save v1.4.14 on Mon Dec 15 23:35:36 2014 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [137:211520] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8888 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -p tcp -m tcp --dport 17655 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT COMMIT # Completed on Mon Dec 15 23:35:36 2014

这是以前的东西，从较旧的备份中提取出来：除了注释之外，还有其他的不同之处。

 #--------------------------------------------------------------------- # This file is part of iRedMail, which is an open source mail server # solution for Red Hat(R) Enterprise Linux, CentOS, Debian and Ubuntu. # # iRedMail is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # iRedMail is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with iRedMail. If not, see <http://www.gnu.org/licenses/>. #--------------------------------------------------------------------- # # Sample iptables rules. It should be localted at: # /etc/sysconfig/iptables # # Shipped within iRedMail project: # * http://iRedMail.googlecode.com/ # *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Keep state. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Loop device. -A INPUT -i lo -j ACCEPT # http, https -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 8888 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # smtp, submission -A INPUT -p tcp --dport 25 -j ACCEPT -A INPUT -p tcp --dport 587 -j ACCEPT # pop3, pop3s -A INPUT -p tcp --dport 110 -j ACCEPT -A INPUT -p tcp --dport 995 -j ACCEPT # imap, imaps -A INPUT -p tcp --dport 143 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT # ssh -A INPUT -p tcp --dport 17655 -j ACCEPT #-A INPUT -p tcp --dport 9999 -j ACCEPT # Allow PING from remote hosts. -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # ejabberd #-A INPUT -p tcp --dport 5222 -j ACCEPT #-A INPUT -p tcp --dport 5223 -j ACCEPT #-A INPUT -p tcp --dport 5280 -j ACCEPT # ldap/ldaps #-A INPUT -p tcp --dport 389 -j ACCEPT #-A INPUT -p tcp --dport 636 -j ACCEPT # ftp. #-A INPUT -p tcp --dport 20 -j ACCEPT #-A INPUT -p tcp --dport 21 -j ACCEPT COMMIT

iptables -L -n -v新输出

 user@server:~$ sudo iptables -L -n -v Chain INPUT (policy ACCEPT 1879 packets, 840K bytes) pkts bytes target prot opt in out source destination 694 227K fail2ban-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,25,587,110,9 95,143,993,4190 694 227K fail2ban-dovecot tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,25,587,110,9 95,143,993,4190 694 227K fail2ban-roundcube tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443,25,587,110 ,995,143,993,4190 0 0 fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1706 packets, 707K bytes) pkts bytes target prot opt in out source destination Chain fail2ban-dovecot (1 references) pkts bytes target prot opt in out source destination 694 227K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-postfix (1 references) pkts bytes target prot opt in out source destination 694 227K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-roundcube (1 references) pkts bytes target prot opt in out source destination 694 227K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fail2ban-ssh (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

edit3：输出sudo cat /proc/net/nf_conntrack ，服务器ip被replace。似乎很短。

 ipv4 2 udp 17 145 src=<SERVERIP> dst=213.239.239.166 sport=123 dport=123 src=213.239.239.166 dst=<SERVERIP> sport=123 dport=123 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 429127 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=39571 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=39571 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 100 TIME_WAIT src=92.121.32.40 dst=<SERVERIP> sport=4707 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4707 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 431999 ESTABLISHED src=92.121.32.40 dst=<SERVERIP> sport=4709 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4709 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 431291 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=46386 dport=389 src=127.0.0.1 dst=127.0.0.1 sport=389 dport=46386 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 429127 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=39572 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=39572 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 431999 ESTABLISHED src=92.121.32.40 dst=<SERVERIP> sport=4705 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4705 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 431975 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50519 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50519 [ASSURED] mark=0 zone=0 use=2 ipv4 2 udp 17 112 src=<SERVERIP> dst=213.239.239.164 sport=123 dport=123 src=213.239.239.164 dst=<SERVERIP> sport=123 dport=123 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 431999 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50515 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50515 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 100 TIME_WAIT src=92.121.32.40 dst=<SERVERIP> sport=4704 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4704 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 431999 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50517 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50517 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 429127 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=39573 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=39573 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 431975 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50523 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50523 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 431975 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50521 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50521 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 100 TIME_WAIT src=92.121.32.40 dst=<SERVERIP> sport=4701 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4701 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 431975 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=50525 dport=4200 src=127.0.0.1 dst=127.0.0.1 sport=4200 dport=50525 [ASSURED] mark=0 zone=0 use=2 ipv4 2 udp 17 113 src=<SERVERIP> dst=213.239.239.165 sport=123 dport=123 src=213.239.239.165 dst=<SERVERIP> sport=123 dport=123 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 100 TIME_WAIT src=92.121.32.40 dst=<SERVERIP> sport=4706 dport=443 src=<SERVERIP> dst=92.121.32.40 sport=443 dport=4706 [ASSURED] mark=0 zone=0 use=2 ipv4 2 tcp 6 429127 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=39570 dport=3306 src=127.0.0.1 dst=127.0.0.1 sport=3306 dport=39570 [ASSURED] mark=0 zone=0 use=2

听起来你正在击中conntrack表的极限。

iptables跟踪一个名为“conntrack”的表中的“接受”每个TCP连接。这个表格被使用，以便将来的数据包（包括发送和接收）被自动允许。即它保持每个连接的“状态”。由于它跟踪使用哪个临时端口，因此比无状态防火墙更安全。 http://conntrack-tools.netfilter.org/manual.html

这些连接存储在内存（“conntrack”表或状态表）中。桌子的大小是有限的。一旦表格满了，即使你有一个“APPROVE”规则匹配它，也不会接受新的连接。

您可以通过读取文件/proc/net/nf_conntrack来查看该表： cat /proc/net/nf_conntrack

你可以计算表中的行数，看看它是多么的完整： wc -l /proc/net/nf_conntrack

您可以通过读取sysctlvariables来查看最大表大小： # sysctl net.netfilter.nf_conntrack_max net.netfilter.nf_conntrack_max = 4194304

您可以使用sysctl来设置大小。确保更新/etc/sysctl.conf以便在重新启动时进行设置。

我的猜测是，你已经设置为默认，这是非常小的。

我的build议是：

增加表格的大小。
你的监控系统应该跟踪表中有多less个连接，这样你可以看到它随着时间的推移而增加。
将您的监控系统设置为在接近满时发出警报，以便在出现问题之前增加监控系统。